Cookie Solution
The ICO state that the law requires:
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
-Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR)
Those setting cookies must:
- Tell people that the cookies are there,
- Explain what the cookies are doing, and
- Obtain their consent to store a cookie on their device.
Since 2003 anyone using cookies has been required to provide clear information about those cookies. In May 2011 the existing rules were amended. Under the revised Regulations the requirement is not just to provide clear information about the cookies but also to obtain consent from users or subscribers to store a cookie on their device.
| |
2003 rule |
2011 rule |
| Requirement to provide information |
You must provide clear and comprehensive information about any cookies you are using |
You must provide clear and comprehensive information about any cookies you are using |
| Requirement to provide choice |
You must provide the option for people to opt out of cookies being stored on their devices |
You must obtain consent to store a cookie on a user or subscribers device |
Get the Privacy Policy (PP) right
Clients should already be conforming to the 2003 law by displaying clear and comprehensive information about any cookies you are using. This is where a cookie audit will be helpful to find out what cookies are being used so that you can then display them in your privacy policy.
There does not appear to be any requirement to tell a user how to manage or remove these cookies.
It would also be wise to make sure your terms and conditions mention cookies – maybe link to the privacy policy from your T&Cs.
What further action do web owners need to take?
In addition to explaining what and how the cookies are being used website owners must now obtain consent for the use any cookies that fall under the remit of the law – namely categories 2, 3 & 4.
The recent controversy and confusion has been largely how consent would be achieved and until the day of the deadline the ICO had been recommending that this should be via obtaining explicit content – i.e. asking the user for permission before setting any cookies.
Thankfully they have since released a statement saying that implied consent will be enough.
So the simplest way to achieve this is to make sure that on your privacy policy page, after the group of cookies listed, you add the appropriate consent wording in part 4 of the ICO guide (p12)
“By using our [website][online service], you agree that we can place these types of cookies on your device.”
NB. No consent is needed for essential cookies such as baskets or managing secure login areas.
Category 4: Targeting or Advertising Cookies
These cookies collect the most information about users, so where the website operator is responsible for setting a targeting or advertising cookie it is important to obtain a clear informed consent from the user to their use.
It is the party setting the cookie that is required by law to obtain the consent of the user but this is not always practical. Where a third party sets targeting or advertising cookies with the permission of the website operator, the website operator may be best placed to get consent for its use, even though it is the third party who is setting the cookie.
All other cookie types will not be affected.
Download the latest ICO Cookies Guidance (May 2012)
There are currently no comments on this post - be the first to comment using the form below.